Found 17 bookmarks
Custom sorting
UNC4393 Goes Gently into the SILENTNIGHT
UNC4393 Goes Gently into the SILENTNIGHT
In mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant's initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster's victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster's transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.
#Mandiant#EN#2024#QAKBOT#UNC4393#BlackBasta#SILENTNIGHT
·cloud.google.com·
UNC4393 Goes Gently into the SILENTNIGHT
Qakbot's Back, But Don't Y'all Panic: A Southern Tech Talk
Qakbot's Back, But Don't Y'all Panic: A Southern Tech Talk
Qakbot, a versatile malware threat, returned after a takedown in August. The new campaign targets the hospitality industry with IRS-themed phishing emails containing malicious PDFs. Microsoft identified the attack, offering two IP addresses for blocking and a way to detect the malware's digital signature.
#itssecurityyall#EN#2023#Qakbot#return#malware#hospitality#IRS-themed
·itssecurityyall.substack.com·
Qakbot's Back, But Don't Y'all Panic: A Southern Tech Talk
Qakbot botnet infrastructure shattered after international operation
Qakbot botnet infrastructure shattered after international operation
Active since 2007, this prolific malware (also known as QBot or Pinkslipbot) evolved over time using different techniques to infect users and compromise systems. Qakbot infiltrated victims’ computers through spam emails containing malicious attachments or hyperlinks. Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware. Additionally, the infected computer became part of...
#europol#EN#2023#QakBot#international#operation
·europol.europa.eu·
Qakbot botnet infrastructure shattered after international operation
Visualizing QakBot Infrastructure
Visualizing QakBot Infrastructure
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
#team-cymru#EN#2023#QakBot#Infrastructure#research#C2
·team-cymru.com·
Visualizing QakBot Infrastructure
Bypassing Qakbot Anti-Analysis
Bypassing Qakbot Anti-Analysis
QakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the 2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023 it has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics constantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using OneNote files to drop QakBot. In this case we are particularly interested in the anti-analysis techniques used by QakBot during the early stages of its execution. These techniques can make malware analysis harder if they are not known, so learning to identify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there are techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study of different samples.
#lab52#EN#2023#Qakbot#analysis#anti-analysis#techniques#TTP
·lab52.io·
Bypassing Qakbot Anti-Analysis
Bypassing Qakbot Anti-Analysis
Bypassing Qakbot Anti-Analysis
QakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the 2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023 it has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics constantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using OneNote files to drop QakBot. In this case we are particularly interested in the anti-analysis techniques used by QakBot during the early stages of its execution. These techniques can make malware analysis harder if they are not known, so learning to identify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there are techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study of different samples.
#lab52#EN#2023#Qakbot#analysis#anti-analysis#techniques#TTP
·lab52.io·
Bypassing Qakbot Anti-Analysis